This chapter introduces the proxy auto-config (PAC) file in MSAS and describes how to configure blocked, direct, and proxy URL web settings in Mobile Security Access Server. The web settings that are defined in these PAC files instruct the Secure Workspace app and containerized apps which URLs to proxy through MSAS, which URLs to access directly without going through MSAS, and which URLs to block completely.
It includes the following sections:
When dealing with a large set of URLs, the industry has defined the concept of a proxy auto-config (PAC) file. The PAC file allows clients (browsers, user agents, mobile devices, and so on) to be automatically configured in terms of how the URLs should be accessed. Mobile Security Access Server (MSAS) can act as a proxy or a reverse proxy as described in "Getting Started with Mobile Security Access Server", and throughout this book. It generates a PAC file automatically based on the how the URLs in an MSAS instance are configured.
A PAC file includes a Java Script function FindProxyForURL(url,host) that determines how the URLs are to be proxied through MSAS, such as proxied, directly, or blocked.
Each MSAS instance generates two PAC file accessible at the following URLs:
https://msas-host:msas-ssl-port/bmax/stunnel.pac
http://msas-host:msas-port/bmax/bmax.pac
where msas-host:msas-ssl-port represents the host and SSL port of the MSAS instance, and msas-host:msas-port represents the host and the non-SSL port of the MSAS instance. The Secure Workspace app is automatically configured with these files during registration and then enforces the rules defined in them.
The only difference between these two PAC files is the port that they use for forward proxy calls. The stunnel.pac file uses the HTTPS port and is used by the Secure Workspace and containerized apps for forward proxy calls. The bmax.pac file uses the HTTP port and is used by browsers such as Safari for forward proxy calls.
The stunnel.pac and bmax.pac files are refreshed periodically to reflect any changes made to web settings. By default, the refresh interval is 24 hours. You can configure the interval using the cache.refresh.repeat property or force an immediate refresh using the synchronize feature as described in "Synchronizing MSAS Instance Configuration". For details about configuring the cache.refresh.repeat property, see:
When you create an MSAS instance, DIRECT and BLOCK applications are created by default. You edit these applications to configure the direct and blocked URLs. These applications are reserved and cannot be deleted.
A Default URL proxy application is also created. This application is provided for convenience purposes and is used to secure all forward-proxy requests by default. It contains a wildcard path (/) that applies to all URLs in the environment that are not defined explicitly in a proxy application. By using a default URL, you do not need to define every URL in the system using a proxy URL. You can edit the URL defined in the application, and you can add or delete proxy URLs. You can edit the name of this application, and delete it.
You can create proxy applications in MSAS that specify back-end URLs that will be proxied directly through the Mobile Security Access Server. Any URL defined within a proxy application is automatically classified with the "proxy" access type. Proxy applications can be updated or deleted.
Table 4-1 describes the mapping between MSAS applications and the corresponding PAC files that are generated.
Table 4-1 Mapping Between MSAS Applications and the Proxy Auto-Config File
| Application Type | PAC File Mapping |
|---|---|
|
MSAS Proxy Application |
All URLs within MSAS Proxy Apps are handled as Proxy URLs in PAC. This instructs the client that all matching URLs in this section should be proxied through the MSAS. |
|
MSAS DIRECT Application |
All URLs within this reserved application map to Direct URLs in PAC. This instructs the client that all matching URLs in this section should be accessed directly without going through MSAS. |
|
MSAS BLOCK Application |
All URLs within this reserved application map to Block URLs in PAC. This instructs the client that all matching URLs in this section should be completely blocked from access. |
MSAS performs string matching on the URLs as follows:
Each URL must include the scheme, and can optionally include the host, path, or query string, or any parts of those components. You can use the wildcard * for specific URL patterns as follows:
For HTTP and HTTPS requests, use http://* and https://*.
For any request hitting a specific domain, for example *.example.com.
For any request hitting a specific domain only over HTTPS, for example https://*.example.com.
To specify parts of path but not others. For example, configuring https://www.example.com/somedir/* in the BLOCK application will block access to all sub-paths under somedir. Configuring https://www.example.com/somedir/stock/* in a proxy application will allow access for all sub-paths under somedir/stock.
All URLs are converted to lowercase before matching.
By default, if a requested URL does not match any entries in the access list, and there is no default proxy URL defined, then the requested URL is sent as a direct type.
To configure blocked URLs, add them to the reserved BLOCK application for the MSAS instance. To do so:
From the Mobile Security Launch Pad, select Applications in the Mobile Security Access Server section.
Use the Search feature to locate the BLOCK application for the instance. Either of the following methods will work:
From the Type menu, select Blocked URLs. A list of the first five BLOCK applications in the environment, sorted as shown in the Sort By field, is displayed. Click Load More Items to display additional applications.
From the Search menu, select MSAS Instance Name, enter all or part of the instance name in the Search field and click the search icon. % is accepted as a wildcard in the search field. If the BLOCK application for the desired MSAS instance isn't displayed, select Blocked URLs from the Type menu.
Click the Block icon or the BLOCK application name to open the Blocked URLs page.
Click +URL to open the Add Blocked URL page. If no URLs are currently defined in the application, you can also click Create URL.
In the Add Blocked URL page, click Add.
Complete the Host URL and Name fields, and optionally, the Description field.
Continue to click Add and complete the fields for all URLs to be blocked.
Click Save.
To configure direct URLs, add them to the reserved DIRECT application for the MSAS instance. To do so:
From the Mobile Security Launch Pad, select Applications in the Mobile Security Access Server section.
Use the Search feature to locate the DIRECT application for the instance. Either of the following methods will work:
From the Type menu, select Direct URLs. A list of the first five DIRECT applications in the environment, sorted as shown in the Sort By field, is displayed. Click Load More Items to display additional applications.
From the Search menu, select MSAS Instance Name, enter all or part of the instance name in the Search field and click the search icon. % is accepted as a wildcard in the search field. If the DIRECT application for the desired MSAS instance isn't displayed, select Direct URLs from the Type menu.
Click the Direct icon or the Direct application name to open the Direct URLs page.
Click +URL to open the Add Direct URL page. If no URLs are currently defined in the application, you can also click Create URL.
In the Add Direct URL page, click Add.
Complete the Host URL and Name fields, and optionally, the Description field.
Continue to click Add and complete the fields for all URLs to be given direct access.
Click Save.